Communication terminal, communication method, and program

ABSTRACT

[Problem] 
     A plurality of control devices cannot control a communication terminal. 
     [Means for solving the problem] 
     The communication terminal of the present invention, which is controlled by a control device, includes a first storage means for associating information identifying a packet with processing of the packet and storing it as an entry, a searching means for searching to processing corresponding to a received packet from the first storage means, and an inquiry means for determining the control device of which is inquired, based on the entry corresponding to the received packet, the entry being stored in the first storage means, if the searched processing is the inquiry to the control device, and for performing the inquiry addressed to the determined control device.

TECHNICAL FIELD

The invention relates to a communication terminal, communication method,and a program which connects with a network.

BACKGROUND ART

In recent years, an OpenFlow technology has been disclosed. Non PatentDocument 1, Non Patent Document 2, Patent Document 1, and PatentDocument 2 describe the OpenFlow. In the OpenFlow, a communicationmethod between an OpenFlow Switch (hereinafter referred to as OFS)function and an OpenFlow Controller (hereinafter referred to as OFC),which is a control device thereof, is defined. The OFS and the OFC areconnected with each other through a control path which is called asecure channel. The OFS is controlled by a single OFC.

The OFS includes a flow table therein. In the flow table, at least a setof a header field for identifying a packet flow and processing of thepacket is registered as an entry. The header field for identifying apacket flow is called a matching rule. The header field is composed of aplurality of tuples, each of which can designate a wildcard. If the wildcard is designated, a range of the flow can be represented as a group.For example, suppose that a transmission source IP (Internet Protocol)address of a header field of a certain entry is designated, and theother tuples are set to wildcards. At the time, the set entry representsa group of all flows transmitted from the designated IP address. Allpackets transmitted from the designated IP address corresponds to theset entry regardless of the address.

The processing of the packet is called an action. The action includes atleast transfer to the designated port, transfer to the OFC, turnovertransfer to an input port, abandonment, and the like. The transfer tothe designated port is used for packet transfer to the next switch. Thetransfer to the OFC is mainly used for inquiry of a processing method ofthe packet.

Receiving the packet, the OFS searches the flow table. If an entry whichmatches the received packet exists, packet processing is performed inaccordance with the action of the matched entry. Priority can be set inthe entry. If the packet matches a plurality of entries, the action ofthe entry with the highest priority is employed.

If no entry which matches the received packet exists in the flow table,the OFS inquires of the OFC how to perform processing of the receivedpacket. At this time, the OFS transfers a part of or all of the packetsto the OFC through secure channel. The OFC receiving the inquiry aboutthe processing adds the entry to the flow table, if necessary, andinforms the OFS of the processing method.

Patent Document 3 and Patent Document 4 disclose the networkarchitecture having a control device with a control function and aswitch with a transfer function which is controlled by the controldevice.

RELATED ART DOCUMENT Patent Document

-   [Patent Document 1] Tokukai 2011-082834 A-   [Patent Document 2] Tokukai 2011-101245 A-   [Patent Document 3] Tokukai 2006-135971 A-   [Patent Document 4] Tokukai 2006-135975 A

Non Patent Document

-   [Non Patent Document] Nick McKeown et. al OpenFlow: Enabling    Innovation in Campus Networks, [Jun. 28, 2011]    Internet<URLhttp://www.openflowswitch.org/documents/openflow-wp-latest.pdf>-   [Non Patent Document 2] OpenFlow Switch Specification Version 1.0.0    (Wire Protocol 0×01) Dec. 31, 2009, [Aug. 31, 2011 search]    Internet<URL:    http://www.openflowswitch.org/documents/openflow-spec-v1.0.0.pdf>

SUMMARY OF INVENTION Technical Problem

The OpenFlow disclosed in Non Patent Document 1, Non Patent Document 2,Patent Document 1, and Patent Document 2, and the architecture disclosedin Patent Document 3 and Patent Document 4 are network systems which arebased on the premise that a switch operation is finely controlled by asingle controller.

In the Documents above, when a plurality of controllers are arranged, itis impossible to control the switch by the plurality of controllers.

An object of the invention is to provide a communication terminal, acommunication method, and a program, which can solve the problemdescribed above.

Solution to Problem

A communication terminal of the invention is a communication terminalcontrolled by a control device, and includes a first storage means forassociating information identifying a packet with processing of thepacket and storing it as an entry a searching means for searchingprocessing corresponding to a received packet from the first storagemeans and an inquiry means for determining the control device of whichis inquired, based on the entry corresponding to the received packet,the entry being stored in the first storage means, if the searchedprocessing is the inquiry to the control device, and for performing theinquiry addressed to the determined control device.

A communication method of the invention includes the step of searchingprocessing corresponding to a received packet from a first storage meansfor associating information identifying a packet with processing of thepacket and storing it as an entry, determining the control device ofwhich is inquired, based on the entry corresponding to the receivedpacket, the entry being stored in the first storage means, if thesearched processing is the inquiry to the control device controlling acommunication terminal, and performing the inquiry addressed to thedetermined control device.

A program of the invention causes a computer to execute processcomprising searching processing corresponding to a received packet froma first storage means for associating information identifying a packetwith processing of the packet and storing it as an entry, determiningthe control device of which is inquired, based on the entrycorresponding to the received packet, the entry being stored in thefirst storage means, if the searched processing is the processing to beinquired of the control device controlling a communication terminal; andperforming the inquiry addressed to the determined control device.

Advantageous Effects of Invention

According to the invention, even though a plurality of controllers orcontrol devices controlling a switch or a communication terminal arearranged, the plurality of controllers or the plurality of controldevices can control the switch or the communication terminal.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a diagram illustrating a configuration example of acommunication device of a first exemplary embodiment.

FIG. 2 is a flow chart illustrating an operation example of a firstexemplary embodiment.

FIG. 3 is a diagram illustrating a configuration example of acommunication system of a second exemplary embodiment.

FIG. 4 is a diagram illustrating a configuration example of a switch ofa second exemplary embodiment.

FIG. 5 is a diagram illustrating a configuration example of a switch ofa second exemplary embodiment.

FIG. 6 is a diagram illustrating a configuration example of a flow tableof a second exemplary embodiment.

FIG. 7 is a diagram illustrating an example of an entry edit command ofa second exemplary embodiment.

FIG. 8 is a diagram illustrating a configuration example of a switch ofa second exemplary embodiment.

FIG. 9 is a diagram illustrating an example of an entry additioninformation of a second exemplary embodiment.

FIG. 10 is a flow chart illustrating an operation example of a secondexemplary embodiment.

FIG. 11 is a flow chart illustrating an operation example of a secondexemplary embodiment.

FIG. 12 is a flow chart illustrating an operation example of a secondexemplary embodiment.

FIG. 13 is a flow chart illustrating an operation example of a secondexemplary embodiment.

FIG. 14 is a diagram illustrating a configuration example of a switch ofa third exemplary embodiment.

FIG. 15 is a diagram illustrating a configuration example of a flowtable of a third exemplary embodiment.

FIG. 16 is a flow chart illustrating an operation example of a thirdexemplary embodiment.

FIG. 17 is a diagram illustrating a configuration example of a switch ofa fourth exemplary embodiment.

FIG. 18 is a diagram illustrating a configuration example of acontroller flow table of a fourth exemplary embodiment.

FIG. 19 is a flow chart illustrating an operation example of a fourthexemplary embodiment.

FIG. 20 is a flow chart illustrating an operation example of a fourthexemplary embodiment.

DESCRIPTION OF EMBODIMENTS

Exemplary embodiments of the present invention is described in detailwith reference to the drawings.

First Exemplary Embodiment [Configuration]

FIG. 1 illustrates a configuration example of a communication device1000 of a first exemplary embodiment of the invention. In FIG. 1, thecommunication device 1000 includes a storage means 1001, a searchingmeans 1002, and an inquiry means 1003. The communication device 1000connects with a control device, which is not illustrated. Thecommunication device 1000 is controlled by the control device.

The storage means 1001 associates information for identifying a packetwith processing of the packet and stores it therein.

When receiving the packet, the searching means 1002 searches theprocessing corresponding to the received packet in the storage means1001.

If the processing searched by the searching means 1002 is an inquiry tothe control device, the inquiry means 1003 performs the followingoperations. The inquiry means 1003 initially determines the controldevice to be inquired on the basis of an entry of the storage means 1001corresponding to the received packet. Next, the inquiry means 1003performs the inquiry addressed to the determined control device.

[Operation]

Operations of the first exemplary embodiment are described below using aflow chart in FIG. 2.

The searching means 1002 searches the processing corresponding to thereceived packet in the storage means 1001 (S1001).

If the processing searched by the searching means 1002 is the inquiry tothe control device, the inquiry means 1003 determines the control deviceto be inquired on the basis of the entry of the storage means 1001(S1002).

Next, the inquiry means 1003 performs the inquiry addressed to thecontrol device determined in S1002 (S1003).

As described above, in the first exemplary embodiment, the communicationdevice 1000 includes the storage means 1001, the searching means 1002,and the inquiry means 1003. However, each of these means may be includednot only in the communication device, but a communication terminal orother communication apparatus.

Advantageous Effects

As described above, according to the first exemplary embodiment, thecommunication device determines the control device which is a processinginquiry destination of the received packet and inquires thereof. As aresult, the control device which receives the inquiry can determine theprocessing of the received packet. Therefore, according to the firstexemplary embodiment, since one control device to control the receivedpacket can be determined even though a plurality of control devices tocontrol the communication device are arranged, the communication devicecan be controlled by the plurality of control devices.

Second Exemplary Embodiment [Configuration]

FIG. 3 is a diagram illustrating a configuration example of acommunication system of a second exemplary embodiment. A communicationsystem 1 includes a plurality of controllers 11 connected with anetwork, which is not illustrated, and a plurality of switches 12. In anexample of FIG. 3, a controller 11-A, a controller 11-B, a controller11-C, and a controller 11-D are arranged as the controller 11.Hereinafter, the four controllers are described as the controller 11 ifit is to not necessary to be distinguished.

The switch 12 is connected with the plurality of controllers 11 througha control path. The controller 11 connects with the switch 12 to becontrolled by the controller 11 and transmits/receives a control messageto/from the switch 12.

In the example of FIG. 3, two switches 12 are arranged and one switchconnects with the controller 11-A, and the other switch connects withthe controller 11-B. In two sections, a section from the controller 11-Cto the controller 11-A, and a section from the controller 11-D to thecontroller 11-B, dashed lines with arrows are depicted to showconnection relations. This means that a controller may restrict acommunication range controlled by the other controller.

FIG. 4 illustrates a configuration example of the switch 12. Accordingto FIG. 4, the switch 12 includes control communication means 121, flowtable management means 122, flow identification means 123, dataprocessing means 124, and a flow table 125.

The control communication means 121 connects with the controller 11, theflow table management means 122, and the flow identification means 123.When receiving the control message from the controller 11, the controlcommunication means 121 sends a control instruction to the flow tablemanagement means 122. When the flow table management means 122 feedsback a control result, the control communication means 121 sends thecontrol message to the controller 11, when necessary.

FIG. 5 is a diagram illustrating a configuration example of the controlcommunication means 121. According to FIG. 5, the control communicationmeans 121 includes controller designation processing inquiry means 1211.

The controller designation processing inquiry means 1211 receives aninquiry as to contents of processing of a packet and designation of thecontroller, and inquires of the controller the processing.

The flow table management means 122 manages information described in theflow table. The flow table management means 122 is described below indetail.

The flow identification means 123 identifies a flow including the packetwhich reaches the data processing means 124. The flow identificationmeans 123 connects with the flow table 125. The flow identificationmeans 123 searches the processing of the identified flow in the flowtable 125.

The flow table 125 stores contents of flow processing. A configurationof the flow table 125 is illustrated in FIG. 6, as an example. Entriesof the flow table 125 include at least priority, a matching rule, and anaction. The priority, a, k, n, and m are natural numbers. The magnituderelation thereof is k<n<m<a. Therefore, in the example of FIG. 6, theentries are arranged in descending order of priority. The matching rulestores tuples, like an IP address, and a MAC (Media Access Control)address, as described in the background art. A way how to process apacket suitable to the matching rule is described in the action.

In the second exemplary embodiment, an action to inquire as toprocessing by designating the controller may be registered to a packetsuitable to the matching rule. For example, with respect to a packetbelonging to the flow A, an inquiry as to processing to the controller Ais performed, and with respect to a packet belonging to the flow C, aninquiry as to processing to the controller B is performed. Thereby, forexample, since an inquiry as to processing to the controller A isperformed when the switch 12 receives a packet belonging to the flow A,the controller A obtains the operation authority for the flow A. Theprocessing described in the background art may be registered as theaction. For example, with respect to a packet belonging to the flow B,processing of transferring to the designated port is performed.

The data processing means 124 receives a packet from other switchconnected with the switch 12. When receiving the packet, the dataprocessing means 124 transmits a part of the packet, the whole packet,or a copy of the packet to the flow identification means 123. The flowidentification means 123 performs matching with the entry of the flowtable 125 to identify the flow, and outputs the action. The dataprocessing means 124 receives the action and performs packet processing.

A method of setting the operation authority in the entry of the flowtable 125 in the switch 12 by the controller 11 is described below. Thecontroller 11 describes operation authority information as additioninformation of the control message for instructing the switch 12 tooperate the entry of the flow table 125. Besides the control message,the controller 11 may transmit a special message designating theoperation authority to the switch 12.

FIG. 7 illustrates an example of an entry edit command transmitted fromthe controller 11 to the switch 12. The entry of FIG. 7 definesinquiring of the controller A processing as an action with respect tothe packet with the priority of a and the matching rule of the flow A.The controller 11 transmits the entry of FIG. 7 to the switch 12 andsets the entry of FIG. 7 in the flow table 125 of the switch 12.

The item “Others: ReadOnly” shows the operation authority of the entryof FIG. 7. The target of the operation authority may be discretelydesignated by the controller A, the controller B, or the like, or may bedesignated by a group of the controllers. By a macro using the relationbetween the controller designating the authority and the othercontroller, it may be designated. In the example of FIG. 7, it isdesignated that a controller other than the controller designating theauthority is allowed to only read. The entry edit command in FIG. 7gives the controller A the authority thereof. “Others: ReadOnly” showsthat a controller other than the controller A is allowed to only read.

Next, the flow table management means 122 is described. As illustratedin FIG. 8, the flow table management means 122 includes authoritymanagement/determination means 1221, entry addition information storagemeans 1222, and flow table operation means 1223.

The authority management/determination means 1221 includes entryoperation authority management/determination means 12211 and flow rangedetermination means 12212. The entry operation authoritymanagement/determination means 12211 connects with the controlcommunication means 121, the entry operation authoritymanagement/determination means 12211, the entry addition informationstorage means 1222 and the flow table operation means 1223. The flowrange determination means 12212 connects with the flow table operationmeans 1223. The entry addition information storage means 1222 connectswith the flow table operation means 1223. The flow table operation means1223 connects with the flow table 125.

The authority management/determination means 1221 determines theauthority in response to a request for the operation of the entry fromthe controller 11 as shown in FIG. 7, and performs processing accordingto the determination result.

The entry addition information storage means 1222 stores authorityinformation corresponding to the entry of the flow table 125. Theauthority information includes permission which is uniquely decided foreach controller, and owner information.

The entry operation authority management/determination means 12211manages the operation authority of the entry and determines whether ornot to operate in response to the request for the operation of the entryfrom the controller 11. When the operation authority is set from entryoperation authority instruction means 112 to the entry of the flow table125 through the control communication means 121, the entry operationauthority management/determination means 12211 stores information of theoperation authority in the entry addition information storage means1222. When the controller 11 refers to and edits the entry through thecontrol communication means 121, the entry operation authoritymanagement/determination means 12211 refers to the operation authorityinformation of the entry addition information storage means 1222.Furthermore, the entry operation authority management/determinationmeans 12211 inquires of the flow range determination means 12212 if theedit of the entry includes change of the matching rule, and determineswhether or not to allow the operation in view of the returneddetermination result.

When the controller 11 registers the entry, the flow range determinationmeans 12212 determines whether or not to perform the control by thecontroller 11. Specifically, it is determined whether or not the rangein which the controller 11 requests the control falls within the flowrange in which the control is allowed. The flow range to be allowed maybe, for example, a union of the matching rules of the entry with theaction for inquiring of the controller. The invalidated flow range maybe the matching rule, having the action for inquiring of the othercontroller, which has higher priority than that of the entry which isgrounds for the allowed range.

FIG. 9 illustrates an example of the entry addition information storedcorresponding to the entry of the flow table 125 and the entry additioninformation storage means 1222. An example of determination which isperformed in the flow range determination means 12212 is explained usingFIG. 9. In the flow table, the first column shows priority, the secondcolumn shows the matching rules, and the third column shows the actions.In the entry addition information, the first column shows operationauthorities of the corresponding entry in the flow table 125, and thesecond column shows owners of the corresponding entry. In the example inFIG. 9, the entries are arranged in descending order of priority, likeFIG. 6. In the example in FIG. 9, the controller A limits the range ofthe flow where the controller B controls. “Controller: A” in the columnof the actions means that when receiving a packet which matches the flowA, the switch 12 inquires of the controller A about processing. In thiscase, there are two conditions that the controller B can register theentry with the matching rule which is the flow B. One of the conditionsis that the range of the flow shown by the flow B is included in therange of the flow shown by the flow C which is the matching rule of theentry of the controller A having the action for inquiring of thecontroller B. The other is that the magnitude relationship of priorityof the entry is a−n<a−k<a.

[Operation]

FIGS. 10 to 13 are flowcharts illustrating an operation of thecommunication system 1 of the second exemplary embodiment. The operationof the second exemplary embodiment is described using the flowcharts.

FIG. 10 is the flowchart illustrating the operation which is performedwhen the switch 12 receives a packet in the second exemplary embodiment.

The data processing means 124 receives a packet from differentcommunication device in a network which is not shown (S11). Next, theflow identification means 123 determines whether or not the receivedpacket matches the matching rule of the entry of the flow table 125(S12).

If the entry of the flow table 125 which matches the received packetexists, the flow identification means 123 determines whether or not theaction of the matched entry is an inquiry as to processing designating acontroller (S13).

If it is determined the action of the matched entry is the inquiry as tothe processing designating the controller, the controller designationprocessing inquiry means 1211 performs the inquiry as to processing tothe designated controller (S14).

If it is determined the action of the matched entry is not the inquiryas to the processing designating the controller, the data processingmeans 124 performs packet processing according to the action of thematched entry (step S16). The data processing means 124, for example,transfers the received packet to other communication device, or abandonsthe received packet.

If it is determined that the packet does not match the matching rule ofthe entry of the flow table in S12, the control communication means 121inquires of the controller which is set as default about the processing(S15).

FIG. 11 and FIG. 12 are flowcharts illustrating operations which areperformed when the switch 12 receives the entry edit command from thecontroller 11.

Initially, the control communication means 121 receives the entry editcommand from the controller 11 (S21).

Next, the flow table management means 122 determines whether or not thereceived command is the command for adding the entry to the flow table125 (S22).

If it is determined that the received command is not the command foradding the entry to the flow table in S22, an operation of S23 isperformed. The entry operation authority management/determination means12211 refers to the authority information stored in the entry additioninformation storage means 1222 (S23). After that, the entry operationauthority management/determination means 12211 determines whether or notthe controller which sends the command is allowed to perform a requestoperation for the entry which is the edit target (S24).

If it is determined that the entry edit command is the command foradding the entry to the flow table in S22, processing of S26 isperformed. The processing of S26 is described below.

If it is determined that the request operation for the entry which isthe edit target is allowed in S24, the authoritymanagement/determination means 1221 performs processing of S25. Theauthority management/determination means 1221 determines whether or notthe entry edit command is the command which changes priority of theentry or the matching rule (S25).

If the controller which sends the entry edit command is not allowed toperform the request operation for the entry which is the edit target inS24, an operation command is rejected (step S30).

If it is determined that the entry edit command is the command whichchanges priority of the entry or the matching rule in S25, the flowrange determination means 12212 performs processing of S26. The flowrange determination means 12212 determines whether or not the priorityof the entry or the matching rule after change which is requested by theentry edit command falls within the range which is allowable for therequest source controller (S26).

If it is determined that the priority of the entry or the matching ruleafter change which is requested by the entry edit command falls withinthe range which is allowed for the controller in S26, the entryoperation authority management/determination means 12211 performsprocessing of S27. The entry operation authoritymanagement/determination means 12211 determines whether or not newaddition is included in entry operation authority designation, orwhether or not change is included therein and whether neither newaddition nor change is included (S27).

If it is determined that new addition or change is included in entryoperation authority designation in S27, the entry operation authoritymanagement/determination means 12211 performs processing of S28. In theentry operation authority management/determination means 12211, theentry operation authority of the entry addition information storagemeans 1222 is edited (step S28). After that, the flow table operationmeans 1223 performs the operation command (step S29). If it isdetermined that neither new addition nor change is included in entryoperation authority designation in S27, processing of S28 is skipped andprocessing of S29 is performed.

The controller 11 may transmit a command for referring to the flow tableto the switch 12 in order to manage the switch 12. Hereinafter, thecommand is called a flow table reference command. FIG. 13 is a flowchartillustrating an operation which is performed when the switch 12 receivesthe flow table reference command from the controller 11.

First, the switch 12 receives the flow table reference command from thecontroller 11 through the control communication means 121 (S31).

Next, the entry operation authority management/determination means 12211refers to the authority information stored in the entry additioninformation storage means 1222 (S32).

After S32, the entry operation authority management/determination means12211 extracts the entry, whose reference authority is owned by thecontroller which is the command transmission source (S33).

The flow table operation means 1223 obtains, from the flow table 125,the entry extracted in S33 (S34).

In the entry operation authority management/determination means 12211,the entry addition information corresponding to the entry extracted instep S32 is obtained from the entry addition information storage means1222 (S35).

Next, the entry operation authority management/determination means 12211duplicates the entry addition information obtained in S35 (S36).

In addition, the entry operation authority management/determinationmeans 12211 converts the authority information in the entry additioninformation duplicated in S36 into authority which the controllerrequesting reference has (S37).

Finally, the control communication means 121 transmits the entryobtained in S34 and the entry addition information converted in S37 tothe controller 11 requesting reference (S38).

Advantageous Effects

As described above, the communication system of the second exemplaryembodiment uses the action designating any one of the controllers 11 asthe action for the entry of the flow table 125. Thereby, it becomespossible to separate the controllers of which the processing of thepacket is inquired, for each flow range. As a result, for example, thecontrol, in which one controller is determined for a specific flow, ispossible.

The switch 12 holds the authority information of the controller 11 foreach entry and restricts the operation for the entry of the flow table125. Thereby the flow range which the controller 11 can control isrestricted. Therefore, it is possible to prevent a different controllerfrom unintentionally overwriting a control policy.

On the basis of the above operations, it becomes possible to directlycontrol the switch 12 by a plurality of controllers 11 while determininga control range and an authority range. Consequently, according to thesecond exemplary embodiment, even though a plurality of controllers 11to control the switch 12 are arranged, one controller 11 to control thereceived packet can be determined. It is therefore possible to controlthe switch 12 by the plurality of controllers 11.

Third Exemplary Embodiment [Configuration]

A third exemplary embodiment of the invention is described below. In thethird exemplary embodiment, the flow table management means 122 of theswitch 12 and a flow table 225 are different from those of the secondexemplary embodiment. Items which are different from the flow tablemanagement means 122 are focused and described below. Descriptions ofthe configuration and the operation similar to those of the secondexemplary embodiment are omitted.

FIG. 14 is a block diagram illustrating flow table management means 222of the third exemplary embodiment. In FIG. 14, the flow table managementmeans 222 includes authority management/determination means 2221 and theflow table operation means 1223. The authority management/determinationmeans 2221 includes entry operation authority management/determinationmeans 22211 and flow range determination means 22212. The entryoperation authority management/determination means 22211 connects withthe control communication means 121, the flow range determination means22212 and the flow table operation means 1223.

The entry addition information storage means 1222 is not includedcompared with the flow table management means 122 of the secondexemplary embodiment. In the third exemplary embodiment, the flow table225 stores information which the entry addition information storagemeans 1222 of the second exemplary embodiment stores. FIG. 15illustrates an example of the flow table 225 of the third exemplaryembodiment. In FIG. 15, the flow table 225 stores the authorityinformation in addition to the information which the flow table 125 ofthe second exemplary embodiment stores.

[Operation]

In the switch 12 of the third exemplary embodiment, when it is necessaryto refer to or edit the entry addition information in the operationwhich is performed when the entry edit command is received from thecontroller 11, the flow table 225 is referred to or edited.

FIG. 16 is a flowchart illustrating operations which are performed whenthe switch 12 of the third exemplary embodiment receives the flow tablereference command. The operation illustrated in FIG. 16 differs in theoperations at and after S34 from the operation of the second exemplaryembodiment. The other operations similar to those of the secondexemplary embodiment have the same reference numerals as those of FIG.13, and detailed descriptions thereon are omitted.

The entry operation authority management/determination means 22211duplicates the entry obtained in S33 and S34 (S236).

Next, the entry operation authority management/determination means 22211converts the authority information, which the entry duplicated in S236includes, into the authority which the controller requesting thereference includes (S237).

Finally, the control communication means 121 informs the controller 11requesting the reference, of the entry converted in S237 (S238).

Advantageous Effects

The communication system 1 of the third exemplary embodiment has thesame effect as the second exemplary embodiment. That is, the actiondesignating any one of the controllers 11 is used as the action for theentry of the flow table 225 of the third exemplary embodiment. Thereby,it becomes possible to separate the controllers of which the processingof the packet is inquired, for each flow range. As a result, forexample, the control, in which one controller which controls for aspecific flow is determined, is possible.

The switch 12 holds the authority information of the controller 11 foreach entry and restricts the operation for the entry of the flow table225. Thereby the flow range which the controller 11 can control is torestricted. Therefore, it is possible to prevent a different controllerfrom unintentionally overwriting the control policy.

On the basis of the above operations, it becomes possible to directlycontrol the switch 12 by a plurality of controllers 11 while determininga control range and an authority range. Consequently, according to thethird exemplary embodiment, even though a plurality of controllers 11 tocontrol the switch 12 exist, one controller 11 to control the receivedpacket can be determined. It is, therefore, possible to control theswitch 12 by the plurality of controllers 11.

Fourth Exemplary Embodiment [Configuration]

FIG. 17 illustrates a switch 32 of a fourth exemplary embodiment of theinvention. As shown in FIG. 17, the switch 32 of the fourth exemplaryembodiment differs from that of the second exemplary embodiment incontrol communication means 321, flow table management means 322 and aflow table 325. The other elements are similar to those of the secondand third exemplary embodiments. The other elements similar to those ofthe second exemplary embodiment have the same reference numerals asFIGS. 4, 5, and 8, and detailed descriptions thereon are omitted.

In the fourth exemplary embodiment, an inquiry as to processingdesignating the controller may not be registered in the flow table 325as the action. The case, in which that an inquiry as to processingdesignating the controller is not registered in the action of the flowtable 325, is described below.

In the fourth exemplary embodiment, the control communication means 321includes the controller designation processing inquiry means 1211,processing inquiry destination allocation means 3212, and a controllerflow table 3213. In the fourth exemplary embodiment, processing inquirydestination management means 3224 is added to the flow table managementmeans 322 of the second exemplary embodiment.

The newly added elements in the fourth exemplary embodiment aredescribed. First, the processing inquiry destination allocation means3212 chooses a controller to be inquired, in response to the inquiry tothe controller 11 as to contents of processing of the packet. Theprocessing inquiry destination allocation means 3212 converts aprocessing inquiry instruction without designating the controller into aprocessing inquiry instruction designating the controller.

FIG. 18 illustrates an example of the controller flow table 3213. InFIG. 18, the controller flow table 3213 includes, as the entry, at leastthe priority, the matching rule and an identifier of the destinationcontroller. The identifier of the controller may be any one which isuniquely decided for the controller.

The processing inquiry destination management means 3224 manages anallocation standard of a processing inquiry destination, and converts anaction part of the entry.

[Operation]

FIG. 19 and FIG. 20 are flowcharts illustrating operations of the switch32 of the fourth exemplary embodiment of the invention. The operationssimilar to that of the second exemplary embodiment have the samereference numerals as FIG. 10 and descriptions thereof are omitted.

FIG. 19 is the flowchart illustrating operations which are performedwhen the switch 32 receives a packet. First, the switch 32 receives apacket and determines whether or not the packet matches the matchingrule of the entry in the flow table (S11, S12).

In S12, if it is determined that the received packet matches thematching rule of the entry in the flow table, the flow identificationmeans 123 determines whether or not the action of the entry in thematched matching rule is an inquiry as to processing to a controller(S13).

In S13, if it is determined that the action of the matched entry is tothe inquiry as to processing to the controller, the processing of S317is performed. The processing inquiry destination allocation means 3212searches the controller of which processing of the received packet isinquired, with reference to the controller flow table 3213 (S317).Specifically, the processing inquiry destination allocation means 3212searches the entry having the matching rule of the controller flow table3213 corresponding to the matching rule which the received packetmatches. The processing inquiry destination allocation means 3212obtains the destination controller of the searched entry as the inquirydestination.

Next, the processing inquiry destination allocation means 3212 convertsa processing inquiry to the controller without designating a destinationinto a processing inquiry addressed to the searched controller (S318).

After that, the controller designation processing inquiry means 1211inquires of the designated controller about the processing (S14).

FIG. 20 is a flowchart illustrating operations which are performed whenthe controller 11 instructs the switch 32 to register the entrydesignating the processing inquiry destination. In the second and thethird exemplary embodiments, if the instruction to register the entry isreceived, it is directly registered in the flow table. In the fourthexemplary embodiment, the registration in the controller flow table 3213is further required.

The control communication means 321 receives the instruction to registerthe entry designating the processing inquiry destination, from thecontroller 11 (S341).

Next, the authority management/determination means 1221 performsauthority determination of the entry, like the second exemplaryembodiment (S342).

Next, the processing inquiry destination management means 3224 registersthe entry which takes the matching rule as key and takes the identifierof the controller as value on controller flow table 3213, and givespriority to the entry (S343).

The processing inquiry destination management means 3224 replaces theaction for instructing the entry registration into the processinginquiry without designating a controller (S344).

Finally, the flow table operation means 1223 registers the entry in theflow table 325 (S345).

Advantageous Effects

The communication system 1 in the fourth exemplary embodiment includesthe same effect as the communication system 1 of the second and thethird exemplary embodiment. That is, with respect to the action of theprocessing inquiry to the controller in the entry of the flow table 325of the fourth exemplary embodiment, the switch 32 stores the controllerto be the inquiry destination, in the controller flow table 3213.Thereby the controllers of which the packet processing is inquired canbe separated for each flow range. As a result, for example, the control,in which one controller which controls for a specific flow isdetermined, is possible.

The switch 32 holds the authority information of the controller 11 foreach entry, and restricts operations with respect to the entry in theflow table 325. Thereby, the controller 11 restricts the controllableflow range. Therefore, it is possible to prevent a different controllerfrom unintentionally overwriting the control policy.

On the basis of the above operations, it becomes possible to directlycontrol the switch 32 by a plurality of controllers 11 while determiningthe control range and the authority range. Consequently, according tothe third exemplary embodiment, even though a plurality of controllers11 to control the switch 32 are arranged, one controller 11 to controlthe received packet can be determined. It is therefore possible tocontrol the switch 32 by the plurality of controllers 11.

While the invention has been particularly shown and described withreference to exemplary embodiments thereof, the invention is not limitedto these embodiments. It will be understood by those of ordinary skillin the art that various changes in form and details may be made thereinwithout departing from the spirit and scope of the present invention asdefined by the claims.

The switch of each exemplary embodiment is optionally applicable to acommunication terminal, other communication apparatus, and the like, andnot limited to the switch.

In the exemplary embodiments, the network to which the OpenFlow isapplied is explained, but the present embodiment is not limited thereto.The present embodiment is applicable to the network in which a controlserver centrally controls the switch, other than the OpenFlow.

The functions of the switches of the exemplary embodiments, thecommunication terminal having the same function as the switch, and othercommunication apparatus can be achieved by hardware. The switch of theexemplary embodiment, the communication terminal having the samefunction as the switch, and other communication apparatus can beachieved using a computer and a program causing the computer to execute.The program is provided by being stored in a recording medium, like amagnetic disc, semiconductor memory, and the like, and is read by thecomputer at the time of booting the computer. The program controls thecomputer operations, and works the computer as the switch of theexemplary embodiments, the communication terminal and the communicationapparatus which have the same function as the switch and causes them toexecute processing described above.

The whole or part of the exemplary embodiments disclosed above can bedescribed as, but not limited to, the following supplementary notes.

Supplementary Note 1

A communication terminal controlled by a control device, comprising:

a first storage means for associating information identifying a packetwith processing of the packet and storing it as an entry;

a searching means for searching processing corresponding to a receivedpacket from the first storage means; and

an inquiry means for determining the control device of which isinquired, based on the entry corresponding to the received packet, theentry being stored in the first storage means, if the searchedprocessing is the inquiry to the control device, and for performing theinquiry addressed to the determined control device.

Supplementary Note 2

The communication terminal of Supplementary note 1, wherein theprocessing of the packet stored in the first storage means includesperforming the inquiry as to the processing of the packet by designatingany one of the control devices.

Supplementary Note 3

The communication terminal of Supplementary note 1, further comprising asecond storage means for storing the control device corresponding to theentry stored in the first storage means, wherein when determining thecontrol device of which is inquired, the inquiry means refers to thesecond storage means.

Supplementary Note 4

The communication terminal of any one of Supplementary note 1 toSupplementary note 3, further comprising a third storage means forstoring authority for the entry.

Supplementary Note 5

The communication terminal of any one of Supplementary note 1 toSupplementary note 3, wherein the first storage means associates theauthority for the entry with the entry and stores.

Supplementary Note 6

The communication terminal of Supplementary note 4 or Supplementary note5, further comprising an authority determination means for determiningwhether or not to edit the entry by the control device with reference tothe authority for the entry when a request for edit of the entry isreceived from the control device.

Supplementary Note 7

The communication terminal of Supplementary note 6, wherein theauthority determination means determines whether or not to edit theentry by the control device on the basis of at least one of priority ofthe entry and the information identifying a packet.

Supplementary Note 8

The communication terminal of Supplementary note 6 or Supplementary note7, wherein the authority determination means determines whether or notto refer to the entry by the control device with reference to theauthority for the entry when a request for referring to the entry isreceived from the control device.

Supplementary Note 9

A communication method, comprising the steps of:

searching processing corresponding to a received packet from a firststorage means for associating information identifying a packet withprocessing of the packet and storing it as an entry;

determining the control device of which is inquired, based on the entrycorresponding to the received packet, the entry being stored in thefirst storage means, if the searched processing is the inquiry to thecontrol device controlling a communication terminal; and

performing the inquiry addressed to the determined control device.

Supplementary Note 10

The communication method of Supplementary note 9, wherein the processingof the packet stored in the first storage means includes performing theinquiry as to the processing of the packet by designating any one of thecontrol devices.

Supplementary Note 11

The communication method of Supplementary note 9, wherein a secondstorage means for storing the control device corresponding to the entrystored in the first storage means is referred to, when the controldevice of which is inquired is determined.

Supplementary Note 12

The communication method of any one of Supplementary note 9 toSupplementary note 11, wherein authority for the entry is stored.

Supplementary Note 13

The communication method of any one of Supplementary note 9 toSupplementary note 11, wherein the first storage means associates theauthority for the entry with the entry and stores it.

Supplementary Note 14

The communication method of Supplementary note 12 or Supplementary note13, further comprising determining whether or not to edit the entry bythe control device with reference to the authority for the entry when arequest for edit of the entry is received from the control device.

Supplementary Note 15

The communication method of Supplementary note 14, wherein it isdetermined whether or not to edit the entry by the control device on thebasis of at least one of priority of the entry and the informationidentifying a packet.

Supplementary Note 16

The communication method of Supplementary note 14 or Supplementary note15, further comprising determining whether or not to refer to the entryby the control device with reference to the authority for the entry whena request for referring to the entry is received from the controldevice.

Supplementary Note 17

A program for causing a computer to execute processes comprising:

searching processing corresponding to a received packet from a firststorage means for associating information identifying a packet withprocessing of the packet and storing it as an entry;

determining the control device of which is inquired, based on the entrycorresponding to the received packet, the entry being stored in thefirst storage means, if the searched processing is the processing to beinquired of the control device controlling a communication terminal; and

performing the inquiry addressed to the determined control device.

Supplementary Note 18

The program of Supplementary note 17, wherein the processing of thepacket stored in the first storage means includes performing the inquiryas to the processing of the packet by designating any one of the controldevices.

Supplementary Note 19

The program of Supplementary note 18, wherein a second storage means forstoring the control device corresponding to the entry stored in thefirst storage means is referred to, when the control device to beinquired is determined.

Supplementary Note 20

The program of any one of Supplementary note 17 to Supplementary note19, wherein authority for the entry is stored.

Supplementary Note 21

The program of any one of Supplementary note 17 to Supplementary note19, wherein the first storage means associates the authority for theentry with the entry and stores it.

Supplementary Note 22

The program of Supplementary note 20 or Supplementary note 21, theprocesses further comprising determining whether or not to edit theentry by the control device with reference to the authority for theentry when a request for edit of the entry is received from the controldevice.

Supplementary Note 23

The program of Supplementary note 22, wherein it is determined whetheror not to edit the entry by the control device on the basis of at leastone of priority of the entry and the information identifying a packet.

Supplementary Note 24

The program of Supplementary note 22 or Supplementary note 23, theprocesses further comprising determining whether or not to refer to theentry by the control device with reference to the authority for theentry when a request for referring to the entry is received from thecontrol device.

Supplementary Note 25

A switch controlled by a control device, comprising

a first storage means for associating information identifying a packetwith processing of the packet and storing it as an entry;

a searching means for searching processing corresponding to a receivedpacket from the first storage means; and

an inquiry means for determining the control device to be inquired,based on the entry corresponding to the received packet, the entry beingstored in the first storage means, if the searched processing is theinquiry to the control device, and for performing the inquiry addressedto the determined control device.

Supplementary Note 26

The switch of Supplementary note 25, wherein the processing of thepacket stored in the first storage means includes performing the inquiryas to the processing of the packet by designating any one of the controldevices.

Supplementary Note 27

The switch of Supplementary note 25, further comprising a second storagemeans for storing the control device corresponding to the entry storedin the first storage means, wherein when determining the control deviceof which is inquired, the inquiry means refers to the second storagemeans.

Supplementary Note 28

The switch of any one of Supplementary note 25 to Supplementary note 27,further comprising a third storage means for storing authority for theentry.

Supplementary Note 29

The switch of any one of Supplementary note 25 to Supplementary note 28,wherein the first storage means associates the authority for the entrywith the entry and stores it.

Supplementary Note 30

The switch of Supplementary note 28 or Supplementary note 29, furthercomprising an authority determination means for determining whether ornot to edit the entry by the control device with reference to theauthority for the entry when a request for edit of the entry is receivedfrom the control device.

Supplementary Note 31

The switch of Supplementary note 30, wherein the authority determinationmeans determines whether or not to edit the entry by the control deviceon the basis of at least one of priority of the entry and theinformation identifying a packet.

Supplementary Note 32

The switch of Supplementary note 30 or Supplementary note 31, whereinthe authority determination means further determines whether or to notto refer to the entry by the control device with reference to theauthority for the entry when a request for referring to the entry isreceived from the control device.

Supplementary Note 33

A communication system, comprising:

a control device; and

a communication terminal controlled by the control device, wherein thecommunication terminal comprises:

a first storage means for associating information identifying a packetwith processing of the packet and storing as an entry;

a searching means for searching processing corresponding to a receivedpacket from the first storage means; and

an inquiry means for determining the control device of which isinquired, based on the entry corresponding to the received packet, theentry being stored in the first storage means, if the searchedprocessing is the inquiry to the control device, and for performing theinquiry addressed to the determined control device.

Supplementary Note 34

The communication system of Supplementary note 33, wherein theprocessing of the packet stored in the first storage means includesperforming the inquiry as to the processing of the packet by designatingany one of the control device.

Supplementary Note 35

The communication system of Supplementary note 33, wherein thecommunication terminal further comprises a second storage means forstoring the control device corresponding to the entry stored in thefirst storage means, wherein the inquiry means refers to the secondstorage means when the control device of which is inquired isdetermined.

Supplementary Note 36

The communication system of any one of Supplementary note 33 toSupplementary note 35, wherein the communication terminal furthercomprises a third storage means for storing authority for the entry.

Supplementary Note 37

The communication system of any one of Supplementary note 33 toSupplementary note 36, wherein the first storage means associates theauthority for the entry with the entry and stores.

Supplementary Note 38

The communication system of Supplementary note 36 or Supplementary note37, wherein the communication terminal further comprises an authoritydetermination means for determining whether or not to edit the entry bythe control device with reference to the authority for the entry when arequest for referring to the entry is received from the control device.

Supplementary Note 39

The communication system of Supplementary note 38, wherein the authoritydetermination means determines whether or not to edit the entry by thecontrol device on the basis of at least one of priority of the entry andthe information identifying a packet.

Supplementary Note 40

The communication system of Supplementary note 38 or Supplementary note39, wherein the authority determination means further determines whetheror not to refer to the entry by the control device with reference to theauthority for the entry when a request for referring to the entry isreceived from the control device.

While the invention has been particularly shown and described withreference to exemplary embodiments thereof, the invention is not limitedto these embodiments. It will be understood by those of ordinary skillin the art that various changes in form and details may be made thereinwithout departing from the spirit and scope of the present invention asdefined by the claims.

This application is based upon and claims the benefit of priority fromJapanese patent application No. 2011-207659, filed on Sep. 22, 2011, thedisclosure of which is incorporated herein in its entirety by reference.

REFERENCE SIGNS LIST

-   1 Communication System-   11 Controller-   12, 32 Switch-   121, 321 Control Communication Means-   122, 222, 322 Flow Table Management Means-   123 Flow Identification Means-   124 Data Processing Means-   125, 225, 325 Flow Table-   1211 Controller Designation Processing Inquiry Means-   1221, 2221 Authority Management/Determination Means-   1222 Entry Addition Information Storage Means-   1223 Flow Table Operation Means-   3212 Processing Inquiry Destination Allocation Means-   3213 Controller Flow Table-   3224 Processing Inquiry Destination Management Means-   12211, 22211 Entry Operation Authority Management/Determination    Means-   12212, 22212 Flow Range Determination Means

1-40. (canceled)
 41. A switch configured to process a packet,comprising: a memory storing program instructions; and a processorconfigured to execute the program instructions to: receive a request forcontrolling the switch from one of a plurality of controllers configuredto control the switch; access control information corresponding to therequest, based on authority information corresponding to each of theplurality of controllers, wherein the authority information representsan authority to control the switch.
 42. The switch according to claim41, wherein the processor is further configured to execute the programinstructions to identify whether the one of the plurality of controllersis authorized, based on the authority information.
 43. The switchaccording to claim 41, wherein the processor is further configured toexecute the program instructions to read the control informationcorresponding to the request, based on the authority informationcorresponding to each of the plurality of controllers.
 44. The switchaccording to claim 41, wherein the processor is further configured toexecute the program instructions to modify the control informationcorresponding to the request, based on the authority informationcorresponding to each of the plurality of controllers.
 45. The switchaccording to claim 41, wherein the control information includes amatching rule for identifying a flow of the packet, and an action forprocessing the packet.
 46. The switch according to claim 41, wherein theplurality of controllers control the switch with OpenFlow protocol. 47.A communication system comprising: a switch configured to process apacket; and a plurality of controllers configured to control the switch,wherein the switch comprises: a memory configured to store programinstructions; and a processor configured to execute the programinstructions to: receive a request for controlling the switch from oneof the plurality of controllers; and access a control informationcorresponding to the request, based on an authority informationcorresponding to each of the plurality of controllers, wherein theauthority information represents an authority to control the switch. 48.The communication system according to claim 47, wherein the processor isfurther configured to execute the program instructions to identifywhether the one of the plurality of controllers is authorized, based onthe authority information.
 49. The communication system according toclaim 47, wherein the processor is further configured to execute theprogram instructions to read the control information corresponding tothe request, based on the authority information corresponding to each ofthe plurality of controllers.
 50. The communication system according toclaim 47, wherein the processor is further configured to execute theprogram instructions to modify the control information corresponding tothe request, based on the authority information corresponding to each ofthe plurality of controllers.
 51. The communication system according toclaim 47, wherein the control information includes a matching rule foridentifying a flow of the packet, and an action for processing thepacket.
 52. The communication system according to claim 47, wherein theplurality of controllers control the switch with OpenFlow protocol. 53.A method for processing a packet, comprising: receiving a request forcontrolling a switch from one of a plurality of controllers configuredto control the switch, wherein the switch is configured to process apacket; accessing control information corresponding to the request,based on authority information corresponding to each of the plurality ofcontrollers, wherein the authority information represents an authorityto control the switch.
 54. The method according to claim 53, furthercomprising: identifying whether the one of the plurality of controllersis authorized, based on the authority information.
 55. The methodaccording to claim 53, further comprising: reading the controlinformation corresponding to the request, based on the authorityinformation corresponding to each of the plurality of controllers. 56.The method according to claim 53, further comprising: modifying thecontrol information corresponding to the request, based on the authorityinformation corresponding to each of the plurality of controllers. 57.The method according to claim 53, wherein the control informationincludes a matching rule for identifying a flow of the packet, and anaction for processing the packet.
 58. The method according to claim 53,wherein the plurality of controllers control the switch with OpenFlowprotocol.